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Abstract. An authenticated encryption scheme allows messages to be encrypted 
and authenticated simultaneously. In 2003, Ma and Chen proposed such a scheme 
with public verifiability. That is, in their scheme the receiver can efficiently prove 
to a third party that a message is indeed originated from a specific sender. In this 
paper, we first identify two security weaknesses in the Ma-Chen authenticated en- 
r/2 . cryption scheme. Then, based on the Schnorr signature, we proposed an efficient 

and secure improved scheme such that all the desired security requirements are 
satisfied. 
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1 Introduction 

in 

£^ . In the areas of computer communications and electronic transactions, one of im- 

portant topic is how to send data in a confidential and authenticated way. Usu- 
ally, the confidentiality of delivered data is provided by encryption algorithms, 
and the authentication of messages is guaranteed by digital signatures. In the 
traditional paradigm, these two cryptographic operations are performed in the 
order of encrypt-then-sign. In [2], Horster et al. proposed an efficient scheme such 
that messages can be encrypted and authenticated simultaneously. Later, Lee and 
Chang jSj improved Horster et al.'s authenticated encryption scheme so that no 
hash function is needed. However, both schemes does not provide the property of 
not-repudiation, i.e., the receiver cannot prove to a third party that some messages 
are indeed originated from a specific sender. In |5J, Zheng introduced signcryp- 
tion schemes such that unforgeablility, confidentiality, and not-repudiation can be 
provided simultaneously. Since the non-repudiation protocols in [S] are based on 
zero-knowledge proofs, Zheng's schemes are inefficient when there are disputes 
between the receiver and the sender. 

In [I], Ma and Chen proposed an efficient authenticated encryption scheme 
with public verifiability. That is, in their scheme the receiver Bob can efficiently 
prove to a third party that a message is indeed originated from the sender Alice. 
However, this paper shows that their scheme is insecure since dishonest Bob can 



forge a valid ciphertext so that it looks as if it were generated by Alice. In our at- 
tack, the only assumption is that Bob registers his public key with a certification 
authority (CA) after he knows Alice's public key. This assumption almost always 
holds in the existing public key infrastructures (PKIs). Another problem in their 
scheme is that their public verification protocol does not work due to a mathe- 
matical error. To overcome these weaknesses in the Ma-Chen scheme, we propose 
a new scheme based on the Schnorr signature. In addition, technical discussions 
are provided to show that our scheme is secure and efficient. 

The rest of this paper is organized as follows. Section 2 first reviews the Ma- 
Chen scheme. Then, the security analysis is presented in Section 3. After that, we 
propose a new scheme and analyze it in Section 4. Finally, the conclusion is given 
in Section 5. 

2 Review of the Ma-Chen Scheme 

A third trusted party (TTP) selects a triple (p, q,g), where p and q are two large 
primes satisfying q\(p — 1), and g G Z* is an element of order q. It is assumed 
that the Decisional Diffie-Hellman (DDH) problem are difficult in the cyclic group 
G q = (g). That is, given g, g a , g b , g c G G q where a, b and c are unknown random 
numbers, it is infeasible to determine whether g ab mod p equals g c mod p 1 . In 
addition, the TTP publishes a secure hash function H(-). We assume that Alice 
and Bob have the certified secret /public key pairs (xa,Va = g XA mod p) and 
{xbiVb = g XB modp), respectively. 

To send a message m G Z* to the receiver Bob, the sender Alice does as follows. 

(A-l) Pick a random number k G Z*, and then compute v = (g ■ mod p, 
e = v mod q. 

(A-2) Set c = m • Hiv)^ 1 mod p, r = H(e, H(m)), and s = k — xa ■ T mod q. 
( A-3) Send the triple (c, r, s) to Bob via a public channel. 

Upon receiving (c, r, s) from Alice, the receiver Bob does the following: 

(B-l) Compute v = (g • ub) s • y^ 3 ^ mod p and e = v mod q. 
(B-2) Recover the message m = c-H{v) mod p, and check whether r = H(e, H{m)). 
(B-3) If r = H(e, H(m)) holds, Bob concludes that (c,r,s) is indeed encrypted 
by Alice. 

For public verification, Bob first computes K\ = {y s B ■ y A XB mod p) mod q, 
and then forwards (H(m), K\,r, s) to the arbitrator TTP. The TTP performs as 
follows: 

1 There are another two related numerical assumptions, i.e., the discrete logarithm (DL) problem 
and the computational Diffie-Hellman (CDH) problem are difficult in the cyclic group G q = (g) . 
That is, given g,g a ,g b € G q where a and b are unknown random numbers, it is infeasible to 
compute a or g ab mod p. Actually, it is easy to know that DDH assumption is at least as strong 
as CDH assumption, and CDH assumption is at least as strong as DL assumption. 



(TTP-1) Compute e' = (g s ■ y r A - K\ mod p) mod q. 

(TTP-2) If r = H(e',H(m)), the TTP knows that Alice is the originator of 
encryption and signature. 

3 Security Analysis of the Ma-Chen Scheme 

We now give some explanations and remarks on the Ma-Chen scheme. Note that 
to decrypt and verify the triple (c, r, s), one needs to know the value of xb or uab, 
where uab = g XA ' XB mod p. Actually, using i/ab the ciphertext (c,r,s) can be 
easily decrypted and verified as follows: (a) compute v = (g ■ ub) s • Uab ' Va m °d P, 
and e = v mod q; (b) recover m = c ■ H(v) mod p, and check whether r = 
H(e, H(m)). Therefore, the value of uab can not be revealed to anybody other 
than Alice and Bob. The authors of [I] noticed this problem. Therefore, in their 
scheme only the tuple (H(m),Kx,r,s) (not including the value of v) is revealed 
to the TTP, so that even the TTP cannot derive the value of uab- The reason is 
that if one value of v is known by the TTP (or anybody else), then i/ab can be 
obtained easily by uab = Va 1 ' yV ' (d ' VB)~ s r mod p. In addition, recall that 
anybody cannot derive the value of uab directly from Alice's public key ua and 
Bob's public key ys, since it has been assumed that the DDH assumption holds 
in the multiplicative cyclic subgroup G q = (g). 

Based on the above observations and the fact that the value of s in the Ma- 
Chen scheme is computed in a very similar way as in the secure Schnorr signature 
scheme jjj], the authors of [3] analyzed the security of their scheme, and claimed 
that their scheme satisfies the following security properties: 

(1) Unforgeability: Except Alice, any attacker (including Bob) cannot generate a 
valid ciphertext (c, r, s) for a message m so that the verification procedure (B-l 
to B-3) or the the public verification procedure (TTP-1 to TTP-2) is satisfied. 

(2) Confidentiality: Under the DDH assumption, any third party cannot derive 
the message m from the ciphertext (c, r, s). 

(3) Non-repudiation: Once Bob reveals (H(m), K\, r, s), anybody can verify that 
(r, s) is Alice's signature. Therefore, the TTP can settle possible disputes be- 
tween Alice and Bob. 

However, in the following we show that their scheme is forgeable actually. 
Moreover, we identify an design error in their public verification procedure. That 
is, even all parties follow the specifications of their scheme honestly, the TTP 
cannot conclude that (H(m), K\,r, s) is generated by Alice. Therefore, the Ma- 
Chen scheme does not meet the properties of unforgeability, non-repudiation and 
public verifiability. 

Forgeability. Firstly, the authors observed that Bob is the strongest attacker 
to forge a triple (c, r, s), since he knows xb which is used in verification procedure. 
Then, they claimed that their scheme is equivalent to the Schnorr signature 0. 
So they concluded that their scheme is unforgeable against adaptive attacks, as 



the Schnorr signature is proved to be unforgeable (in the random oracle model) 
[Hj. Unfortunately, we notice that this is not the fact, though the value of s is 
indeed calculated in a very similar way as in the Schnorr signature To show 
this fact directly, we now demonstrate a concrete attack on the Ma-Chen scheme. 
In our attack, we assume that Bob registers his public key ys with a certification 
authority (CA) after he knows Alice's public key da- This assumption almost 
always holds in the existing public key infrastructures (PKIs). Anyway, in the 
original paper jlj, it is not specified that Alice and Bob have to register their 
public simultaneously. Moreover, in many scenarios it seems worth to register or 
update a (new) public key in the point view of the (malicious) verifier Bob, even 
if such an action can only enable him to forge one valid ciphertex for one message. 

To amount this attack, the verifier Bob forges a valid ciphertext (c, r, s) for a 
message m of his choice as follows. 

(1) Pick two random numbers a, b G Z*, and compute v = g a ■ y\ mod p. 

(2) Compute e = v mod q, c = m ■ i?(t>) -1 mod p, r = H(e, H(m)), and s = 
rab^ 1 mod q. 

(3) Set his secret key xb = br^ 1 — 1 mod q, and then register the public key 
ys = g XB mod p with a certification authority (CA). 

We now show that the forged triple (c, r, s) is a valid ciphertext for message m 
with respect to the public keys y& and ys- Firstly, the following equalities hold: 

{g ■ Ub) s ■ Va m °d P = g( 1+XB ^ s ■ y\ mod p 

= g a ■ y\ mod p 
= v. 

Then, we have e = v mod q, m = c • H(v) mod q, and r = H (e, H(m)). So (c, r, s) 
is a valid triple. 

In addition, note that even if Alice realizes later a triple (c, r, s) was forged via 
the above attacking procedure, she cannot defence for herself by computing Bob's 
secret xb- We explain the reasons as follows. Since the hash function H(-) is usually 
modelled as a random function, to derive the secret key xb the useful information 
for Alice is the following three equations: v = g a ■ y\ mod p, s = rab~ x mod q, 
and xb = br^ 1 — 1 mod q. Firstly, note that Alice (with her secret key xa) cannot 
derive the values of a and b from equation v = g a ■ y\ mod p, as there are q — 1 
candidates of such pairs (a, b). More specifically, for any given a € Z* there is a 
fixed value of b such that v = g a ■ y\ mod p. Secondly, Alice can try to derive the 
value oi xb by eliminating a and b in the above three equations. To do so, she 
knows that a = s(l + xb) mod q and b = r(l + xb) mod q. Consequently, Alice 
gets equation v = (g s -yA^ 1 ^ 3 ^ mod p. To get the value of xb from this equation, 
Alice has to face the difficult discrete logarithm problem, which is widely believed 
intractable. 

Design Error. We note that the TTP cannot validate a valid tuple (H(m),Kx,r, s) 
by the public verification procedure, i.e., TTP-1 to TTP-2. The reason is that 



e' ^ e even if Alice, Bob, and the TTP all are honest. Namely, 

[{g ■ vb) 8 ■ y r A XB+l) mod p\ mod Q + [9 s ■ y r A ■ K i m °d p] m °d 

where K\ = (y s B ■ y A XB mod p) mod q, p and q are two primes such that q\(p — 1). 
In the original paper [I], however, the those two expressions are considered as 
equivalent. This problem is also identified independently by Wen et al. [7j. For 
more details, please refer to their paper. 

4 Improved Scheme 

In this section, we propose an improvement of the Ma-Chen scheme by exploiting 
the similar idea of Bao and Deng [Q. However, different from Bao and Deng's 
work, we use the provably secure Schnorr signature as the underlying signature 
scheme. Furthermore, technical discussions are provided to show that our scheme 
is secure and efficient. 

4.1 Description of the Scheme 

In our scheme, we assume that (Ek(-),Dk(-)) is a pair of ideal symmetric key 
encryption/decryption algorithms under the session key K. In addition, h(-) is 
another suitable hash function, which maps a number of Z p to a session key for 
our symmetric key encryption/decryption algorithms. Other notations are the 
same as in Section II. 

To send a message m 6 Z! to the receiver Bob in an authenticated and en- 
crypted way, the sender Alice does as follows. 

(A-l) Pick a random number k E Z*, and then compute t\ = g k mod p, and 
ti = y% mod p. 

(A-2) Set c = E h ^(m), r = H(m,t\), and s = k + r ■ xa mod q. 
( A-3) Send the triple (c, r, s) to Bob via a public channel. 

Upon receiving (c, r, s) from Alice, the receiver Bob does the followings: 

(B-l) Compute t\ = g B y~£ modp, and ti = t\ B mod p. 

(B-2) Recovers the message m = D h u 2 \(c), and check whether r = H(m,ti). 
(B-3) If r = H(m,ti) holds, Bob concludes that (c, r, s) is indeed encrypted by 
Alice. 

For public verification, Bob just needs to release (m,r,s). Then, any verifier 
can check whether (r, s) is a standard Schnorr signature for message m as follows: 

(V-l) Compute t\ = g s y~^ mod p. 

(V-2) (r, s) is Bob's valid signature for message m if and only if r = H(m, t\). 



4.2 Security 



Our scheme is very simple in the logic structure. That is, we exactly use the 
Schnorr signature scheme to generate the pair (r, s), i.e., the standard Schnorr sig- 
nature for a message m. Therefore, according the provable security of the Schnorr 
signature given in [5], any adaptive attacker (including Bob) cannot forge a valid 
ciphertext (c, r, s) for any message m such that m = I\( t2 )(c) and r = H(m,ti), 
where t\ = g s y^ r mod p, £2 = t\ B mod p. Otherwise, this implies that the attacker 
has successfully forged a valid Schnorr signature (r, s) for a message m, which is 
in turn contrary to the provable security of the Schnorr signature scheme. So our 
scheme satisfied the unforgeability. 

Now we discuss the confidentiality, i.e., except the receiver Bob, anyone else 
cannot extract the plaintext m from the ciphertext (c, r, s). Firstly, note that an 
attacker cannot extract the plaintext m from the equality r = H(m,ti) after 
recovering t\ = g s y~^ mod p, since the secure hash function H{m,t{) hides the 
information of m. Another way for getting the message m is to decrypt the ci- 
phertext c directly. To do so, the attacker has to obtain the session key hfa) 
since (Ek{-),Dk{-)) is assumed to be an ideal (so secure) symmetric key encryp- 
tion/decryption algorithm pair. This means that to get the session key hfo), the 
attacker has to get the value of £2 first, since h(-) is also a secure hash function. 
However, the attacker cannot get the value of £2 from the values t\ and ys- In 
fact, the latter problem is the CDH problem, which is widely believed intractable 
in security community. Therefore, we conclude that our scheme meets the the 
confidentiality. 

Finally, the property of non-repudiation is also satisfied in our scheme due to 
the following two facts: (a) Only Alice can generate a valid ciphertext (c, r, s); and 
(b) Anybody can very that (r, s) is a standard Schnorr signature if the receiver 
Bob releases the triple (m,r,s). Consequently, a TTP can easily settle potential 
disputes between Alice and Bob by checking whether r = H(m,ti), where t± is 
computed by t± = g s y^ r mod p. 

4.3 Efficiency 

In our scheme and the Ma-Chen scheme, the length of ciphertext (c, r, s) is the 
same, i.e., \p\ + 2\q\ bits. For a real system, p and q can be selected as primes 
with lengths of 1024-bit and 160-bit, respectively. In this setting, the length of 
ciphertext (c, r, s) is 1344 bits. 

We now discuss the computation overhead. We only count the numbers of 
exponentiations that are performed by each party, due to the fact that the expo- 
nentiation is the most time-costing computation operation in most cryptosystems. 
In the Ma-Chen scheme, to generate and verify a ciphertext 3 exponentiations are 
needed (by Alice and Bob). In our scheme, this number is 5, increased a little. 
However, to convert a ciphertext (c, r, s) into public verification, Bob does not 
need to perform any exponentiation in our scheme, while in the Ma-Chen scheme 



2 exponentiations are required. In addition, it is the same that the TTP needs to 
do 2 exponentiations in the public verification procedures of both schemes. In one 
words, these two schemes have no much difference in the performance. 

5 Conclusion 

In this paper, we identified two security weaknesses in the Ma-Chen authenti- 
cated encryption scheme proposed in [I]. Our results showed that their scheme is 
insecure. Moreover, based on the Schnorr signature scheme, we proposed a new 
scheme such that all desired security requirements are satisfied. 
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